nvidia device plugin privileged

This reverts commit 78f01de0a5.

apps/baikal/deployment.yaml

@@ -1,34 +0,0 @@
-apiVersion: apps/v1
-kind: Deployment
-metadata:
-  name: baikal
-  namespace: baikal
-spec:
-  selector:
-    matchLabels:
-      app: baikal
-  template:
-    metadata:
-      labels:
-        app: baikal
-    spec:
-      containers:
-        - name: baikal
-          image: ckulka/baikal:nginx
-          ports:
-            - containerPort: 80
-              name: http
-              protocol: TCP
-          volumeMounts:
-            - mountPath: /var/www/baikal/config
-              name: config
-            - mountPath: /var/www/baikal/Specific
-              name: data
-      restartPolicy: Always
-      volumes:
-        - name: config
-          persistentVolumeClaim:
-            claimName: config
-        - name: data
-          persistentVolumeClaim:
-            claimName: data

apps/baikal/ingress.yaml

@@ -1,27 +0,0 @@
-apiVersion: networking.k8s.io/v1
-kind: Ingress
-metadata:
-  name: baikal
-  namespace: baikal
-  annotations:
-    cert-manager.io/cluster-issuer: "letsencrypt-prod"
-    external-dns.alpha.kubernetes.io/target: michaelthomson.ddns.net
-    external-dns.alpha.kubernetes.io/cloudflare-proxied: "true"
-    traefik.ingress.kubernetes.io/router.entrypoints: websecure
-    traefik.ingress.kubernetes.io/router.tls: "true"
-spec:
-  rules:
-  - host: baikal.michaelthomson.dev
-    http:
-      paths:
-      - pathType: ImplementationSpecific
-        path: /
-        backend:
-          service:
-            name: baikal
-            port: 
-              name: http
-  tls:
-    - hosts:
-        - baikal.michaelthomson.dev
-      secretName: baikal-tls

apps/baikal/pvc-config.yaml

@@ -1,11 +0,0 @@
-apiVersion: v1
-kind: PersistentVolumeClaim
-metadata:
-  name: config
-  namespace: baikal
-spec:
-  accessModes:
-    - ReadWriteOnce
-  resources:
-    requests:
-      storage: 1Gi

apps/baikal/pvc-data.yaml

@@ -1,11 +0,0 @@
-apiVersion: v1
-kind: PersistentVolumeClaim
-metadata:
-  name: data
-  namespace: baikal
-spec:
-  accessModes:
-    - ReadWriteOnce
-  resources:
-    requests:
-      storage: 1Gi

apps/baikal/service.yaml

@@ -1,12 +0,0 @@
-apiVersion: v1
-kind: Service
-metadata:
-  name: baikal
-  namespace: baikal
-spec:
-  selector:
-    app: baikal
-  ports:
-    - name: http
-      port: 80
-      targetPort: http

apps/gitea/mailer-config-secret.yaml

@@ -1,6 +1,6 @@
 apiVersion: v1
-data:
-    mailer: ENC[AES256_GCM,data:baGCpPHJejjMFeiBcgSroJWqmUj/8PzvwAdzZ+nLacen2I91iaIRIgztvsk=,iv:6M2+sKRc1ZC5CqY4X43xgGO/CeWOfjMVzNgelYd0V6c=,tag:I15tnxf8CQaLu+/0GNdeOA==,type:str]
+stringData:
+    mailer: ENC[AES256_GCM,data:IrYl0ghmMpe7LCGuHFAv8OOnnYPnxed8M86qEnXct/d3Xlf+vQ==,iv:d/Egq7dRzNbx/5cEL5lKxD+ZsDhTLCB1EGnP6RXok00=,tag:aiQoSAMKQ1b0mXUT0lw8+w==,type:str]
 kind: Secret
 metadata:
     name: gitea-mailer-config-secret
@@ -16,7 +16,7 @@ sops:
             NkI0eUlmYjg3Zk9iVmNkZVpXWkh2TW8K/coOzGAPF42522cM6DZVAEEv3LmZaIhu
             BVyl8ijATNLMIfiFpP5bHpljPHrn3lGP70RzwoCV15t1fC6pjeParA==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2025-12-17T20:36:08Z"
-    mac: ENC[AES256_GCM,data:QBxnUAGg6xchZ9iqKK8gAmdJhDfma5BZlJVRZcfzGM57diuO2OE4JDbjW5gqf21OACL4d2funVlXRVlioLoe0tfZJY3AAedOmyQVXdrr0PwarbPztbWAFVvIMeQWPZUyPd3GxgaAATeBVCanSEgVTIOVqCN/DXNSHY2XcQ9x9Y0=,iv:ugLYt5NxsTIy0wUul748IGIzayG+zPQ/z5kH3T9IfiE=,tag:3yTjZ+MMMVNmi/8p321fFg==,type:str]
+    lastmodified: "2026-05-12T01:59:49Z"
+    mac: ENC[AES256_GCM,data:TSNyIUQIRaX27K9ZbyiMCayFFIeUKmfD4Bz9Zu7Apa7NGqXmAWabzY3KHyjL14LDxmv4XJpA5W3DLI920DfOEUq2iW9EogMfSV7nEMMA6lzYMf+ca5W0BCwPE0MDBkTIL2nREoZh0FGDmq1M2syRIfaBrFKq97ZozQqz4AA8iZc=,iv:wCjERwABseOGN7LWiLzoT4VGHk9vnGdN0yl2eeQTAho=,tag:j/bDGqPoTm5FFGhERh1KJQ==,type:str]
     encrypted_regex: ^(data|stringData)$
-    version: 3.11.0
+    version: 3.12.2

apps/gitea/release.yaml

@@ -17,8 +17,6 @@ spec:
     global:
       storageClass: longhorn
 
-    replicaCount: 1
-
     service:
       ssh:
         type: LoadBalancer
@@ -47,9 +45,7 @@ spec:
           secretName: gitea-tls
 
     persistence:
-      claimName: gitea-shared-storage
       size: 10Gi
-      storageClass: longhorn
 
     gitea:
       config:
@@ -65,11 +61,11 @@ spec:
           ALLOWED_HOST_LIST: external,loopback,private
         mailer:
           ENABLED: true
-          FROM: gitea@michaelthomson.dev
+          FROM: server@michaelthomson.dev
           PROTOCOL: smtps
           SMTP_ADDR: mail.michaelthomson.dev
           SMTP_PORT: 465
-          USER: gitea@michaelthomson.dev
+          USER: server@michaelthomson.dev
       admin:
         existingSecret: admin-secret
         email: "gitea@michaelthomson.dev"
@@ -77,23 +73,17 @@ spec:
         - secret:
             secretName: gitea-mailer-config-secret
 
-    redis-cluster:
+    valkey-cluster:
       enabled: false
 
+    valkey:
+      enabled: true
+
     postgresql-ha:
       enabled: false
 
     postgresql:
       enabled: true
-      global:
-        postgresql:
-          auth:
-            password: gitea
-            database: gitea
-            username: gitea
-          service:
-            ports:
-              postgresql: 5432
       primary:
         persistence:
           size: 10Gi

apps/homeassistant/networkresource.yaml

@@ -0,0 +1,13 @@
+apiVersion: netbird.io/v1alpha1
+kind: NetworkResource
+metadata:
+  name: homeassistant
+  namespace: homeassistant
+spec:
+  networkRouterRef:
+    name: homelab
+    namespace: netbird
+  serviceRef:
+    name: homeassistant
+  groups:
+    - name: All

apps/immich/cluster.yaml

@@ -8,7 +8,7 @@ metadata:
     cnpg.io/skipEmptyWalArchiveCheck: enabled
 spec:
   imageName: ghcr.io/tensorchord/cloudnative-vectorchord:17-0.3.0
-  instances: 2
+  instances: 3
 
   postgresql:
     shared_preload_libraries:

apps/kube-prometheus-stack/release-alloy.yaml

@@ -0,0 +1,145 @@
+apiVersion: helm.toolkit.fluxcd.io/v2
+kind: HelmRelease
+metadata:
+  name: alloy
+  namespace: kube-prometheus-stack
+spec:
+  chart:
+    spec:
+      chart: alloy
+      version: 1.x
+      sourceRef:
+        kind: HelmRepository
+        name: grafana
+  interval: 15m
+  releaseName: alloy
+  values:
+    alloy:
+      configMap:
+        content: |-
+          // Write your Alloy config here:
+          loki.write "default" {
+            endpoint {
+              url = "http://loki:3100/loki/api/v1/push"
+            }
+          }
+
+          // discovery.kubernetes allows you to find scrape targets from Kubernetes resources.
+          // It watches cluster state and ensures targets are continually synced with what is currently running in your cluster.
+          discovery.kubernetes "pod" {
+            role = "pod"
+            // Restrict to pods on the node to reduce cpu & memory usage
+            selectors {
+              role = "pod"
+              field = "spec.nodeName=" + coalesce(sys.env("HOSTNAME"), constants.hostname)
+            }
+          }
+
+          // discovery.relabel rewrites the label set of the input targets by applying one or more relabeling rules.
+          // If no rules are defined, then the input targets are exported as-is.
+          discovery.relabel "pod_logs" {
+            targets = discovery.kubernetes.pod.targets
+
+            // Label creation - "namespace" field from "__meta_kubernetes_namespace"
+            rule {
+              source_labels = ["__meta_kubernetes_namespace"]
+              action = "replace"
+              target_label = "namespace"
+            }
+
+            // Label creation - "pod" field from "__meta_kubernetes_pod_name"
+            rule {
+              source_labels = ["__meta_kubernetes_pod_name"]
+              action = "replace"
+              target_label = "pod"
+            }
+
+            // Label creation - "container" field from "__meta_kubernetes_pod_container_name"
+            rule {
+              source_labels = ["__meta_kubernetes_pod_container_name"]
+              action = "replace"
+              target_label = "container"
+            }
+
+            // Label creation -  "app" field from "__meta_kubernetes_pod_label_app_kubernetes_io_name"
+            rule {
+              source_labels = ["__meta_kubernetes_pod_label_app_kubernetes_io_name"]
+              action = "replace"
+              target_label = "app"
+            }
+
+            // Label creation -  "job" field from "__meta_kubernetes_namespace" and "__meta_kubernetes_pod_container_name"
+            // Concatenate values __meta_kubernetes_namespace/__meta_kubernetes_pod_container_name
+            rule {
+              source_labels = ["__meta_kubernetes_namespace", "__meta_kubernetes_pod_container_name"]
+              action = "replace"
+              target_label = "job"
+              separator = "/"
+              replacement = "$1"
+            }
+
+            // Label creation - "__path__" field from "__meta_kubernetes_pod_uid" and "__meta_kubernetes_pod_container_name"
+            // Concatenate values __meta_kubernetes_pod_uid/__meta_kubernetes_pod_container_name.log
+            rule {
+              source_labels = ["__meta_kubernetes_pod_uid", "__meta_kubernetes_pod_container_name"]
+              action = "replace"
+              target_label = "__path__"
+              separator = "/"
+              replacement = "/var/log/pods/*$1/*.log"
+            }
+
+            // Label creation -  "container_runtime" field from "__meta_kubernetes_pod_container_id"
+            rule {
+              source_labels = ["__meta_kubernetes_pod_container_id"]
+              action = "replace"
+              target_label = "container_runtime"
+              regex = `^(\S+):\/\/.+$`
+              replacement = "$1"
+            }
+          }
+
+          // loki.source.kubernetes tails logs from Kubernetes containers using the Kubernetes API.
+          loki.source.kubernetes "pod_logs" {
+            targets    = discovery.relabel.pod_logs.output
+            forward_to = [loki.process.pod_logs.receiver]
+          }
+
+          // loki.process receives log entries from other Loki components, applies one or more processing stages,
+          // and forwards the results to the list of receivers in the component's arguments.
+          loki.process "pod_logs" {
+            stage.static_labels {
+                values = {
+                  cluster = "server",
+                }
+            }
+
+            forward_to = [loki.write.default.receiver]
+          }
+
+          // loki.source.kubernetes_events tails events from the Kubernetes API and converts them
+          // into log lines to forward to other Loki components.
+          loki.source.kubernetes_events "cluster_events" {
+            job_name   = "integrations/kubernetes/eventhandler"
+            log_format = "logfmt"
+            forward_to = [
+              loki.process.cluster_events.receiver,
+            ]
+          }
+
+          // loki.process receives log entries from other loki components, applies one or more processing stages,
+          // and forwards the results to the list of receivers in the component's arguments.
+          loki.process "cluster_events" {
+            forward_to = [loki.write.default.receiver]
+
+            stage.static_labels {
+              values = {
+                cluster = "server",
+              }
+            }
+
+            stage.labels {
+              values = {
+                kubernetes_cluster_events = "job",
+              }
+            }
+          }

apps/kube-prometheus-stack/release-loki.yaml

@@ -0,0 +1,71 @@
+apiVersion: helm.toolkit.fluxcd.io/v2
+kind: HelmRelease
+metadata:
+  name: loki
+  namespace: kube-prometheus-stack
+spec:
+  chart:
+    spec:
+      chart: loki
+      version: 6.x
+      sourceRef:
+        kind: HelmRepository
+        name: grafana-community
+  interval: 15m
+  releaseName: loki
+  values:
+    loki:
+      auth_enabled: false
+      commonConfig:
+        replication_factor: 3
+      schemaConfig:
+        configs:
+          - from: "2024-04-01"
+            store: tsdb
+            object_store: s3
+            schema: v13
+            index:
+              prefix: loki_index_
+              period: 24h
+      pattern_ingester:
+          enabled: true
+      limits_config:
+        allow_structured_metadata: true
+        volume_enabled: true
+      ruler:
+        enable_api: true
+
+    minio:
+      enabled: true
+          
+    deploymentMode: SingleBinary
+
+    singleBinary:
+      replicas: 3
+
+    # Zero out replica counts of other deployment modes
+    backend:
+      replicas: 0
+    read:
+      replicas: 0
+    write:
+      replicas: 0
+
+    ingester:
+      replicas: 0
+    querier:
+      replicas: 0
+    queryFrontend:
+      replicas: 0
+    queryScheduler:
+      replicas: 0
+    distributor:
+      replicas: 0
+    compactor:
+      replicas: 0
+    indexGateway:
+      replicas: 0
+    bloomCompactor:
+      replicas: 0
+    bloomGateway:
+      replicas: 0

apps/kube-prometheus-stack/repository-grafana-community.yaml

@@ -0,0 +1,8 @@
+apiVersion: source.toolkit.fluxcd.io/v1
+kind: HelmRepository
+metadata:
+  name: grafana-community
+  namespace: kube-prometheus-stack
+spec:
+  interval: 15m
+  url: https://grafana-community.github.io/helm-charts

apps/kube-prometheus-stack/repository-grafana.yaml

@@ -0,0 +1,8 @@
+apiVersion: source.toolkit.fluxcd.io/v1
+kind: HelmRepository
+metadata:
+  name: grafana
+  namespace: kube-prometheus-stack
+spec:
+  interval: 15m
+  url: https://grafana.github.io/helm-charts

apps/media/jellyfin/networkresource.yaml

@@ -0,0 +1,13 @@
+apiVersion: netbird.io/v1alpha1
+kind: NetworkResource
+metadata:
+  name: jellyfin
+  namespace: media
+spec:
+  networkRouterRef:
+    name: homelab
+    namespace: netbird
+  serviceRef:
+    name: jellyfin
+  groups:
+    - name: All

apps/minecraft/release.yaml

@@ -1,50 +0,0 @@
-apiVersion: helm.toolkit.fluxcd.io/v2
-kind: HelmRelease
-metadata:
-  name: minecraft
-  namespace: minecraft
-spec:
-  chart:
-    spec:
-      chart: minecraft
-      version: 5.x
-      sourceRef:
-        kind: HelmRepository
-        name: minecraft
-  interval: 15m
-  releaseName: minecraft
-  values:
-    serviceAnnotations:
-      metallb.io/loadBalancerIPs: 192.168.18.201
-
-    minecraftServer:
-      # This must be overridden, since we can't accept this for the user.
-      eula: true
-      # One of: LATEST, SNAPSHOT, or a specific version (ie: "1.7.9").
-      version: "LATEST"
-      ## The type of Minecraft server to run, check for related settings below
-      ## Common types: "VANILLA", "FABRIC", "FORGE", "SPIGOT", "BUKKIT", "PAPER",
-      ## "FTBA", "SPONGEVANILLA", "AUTO_CURSEFORGE"
-      ## ref: https://docker-minecraft-server.readthedocs.io/en/latest/types-and-platforms
-      type: "VANILLA"
-      # One of: peaceful, easy, normal, and hard
-      difficulty: normal
-      # A comma-separated list of player names to whitelist.
-      whitelist: DrDeww,lolobinbolo
-      # A comma-separated list of player names who should be admins.
-      ops: DrDeww
-      # A server icon URL for server listings. Auto-scaled and transcoded.
-      icon:
-      # Message of the Day
-      motd: "Welcome to Michael's Minecraft Server"
-      worldSaveName: world
-      # If you adjust this, you may need to adjust resources.requests above to match.
-      memory: 1024M
-      serviceType: LoadBalancer
-
-    persistence:
-      dataDir:
-        enabled: true
-        Size: 8Gi
-        accessModes:
-          - ReadWriteOnce

apps/minecraft/repository.yaml

@@ -1,9 +0,0 @@
-apiVersion: source.toolkit.fluxcd.io/v1
-kind: HelmRepository
-metadata:
-  name: minecraft
-  namespace: minecraft
-spec:
-  interval: 15m
-  url: https://itzg.github.io/minecraft-server-charts/
-

apps/nextcloud/release.yaml

@@ -7,7 +7,7 @@ spec:
   chart:
     spec:
       chart: nextcloud
-      version: 8.x
+      version: 9.x
       sourceRef:
         kind: HelmRepository
         name: nextcloud
@@ -126,47 +126,6 @@ spec:
       global:
         storageClass: longhorn
 
-    collabora:
-      enabled: true
-
-      # image:
-      #   tag: 24.04.11.1.1
-
-      collabora:
-        extra_params: --o:ssl.enable=false --o:ssl.termination=true
-
-        existingSecret:
-          enabled: true
-          secretName: "collabora-secret"
-          usernameKey: "username"
-          passwordKey: "password"
-
-      # securityContext:
-      #   runAsNonRoot: true
-      #   privileged: true
-      #   capabilities:
-      #     add:
-      #       - SYS_ADMIN
-      #       - MKNOD
-
-      ingress:
-        enabled: true
-        annotations:
-          cert-manager.io/cluster-issuer: "letsencrypt-prod"
-          external-dns.alpha.kubernetes.io/target: michaelthomson.ddns.net
-          external-dns.alpha.kubernetes.io/cloudflare-proxied: "true"
-          traefik.ingress.kubernetes.io/router.entrypoints: websecure
-          traefik.ingress.kubernetes.io/router.tls: "true"
-        hosts:
-          - host: collabora.michaelthomson.dev
-            paths:
-            - path: /
-              pathType: ImplementationSpecific
-        tls:
-          - hosts:
-              - collabora.michaelthomson.dev
-            secretName: collabora-tls
-
     cronjob:
       enabled: true
 

apps/ntfy/deployment.yaml

@@ -1,47 +0,0 @@
-apiVersion: apps/v1
-kind: Deployment
-metadata:
-  name: ntfy
-  namespace: ntfy
-  labels:
-    app: ntfy
-spec:
-  revisionHistoryLimit: 1
-  replicas: 1
-  selector:
-    matchLabels:
-      app: ntfy
-  template:
-    metadata:
-      labels:
-        app: ntfy
-    spec:
-      containers:
-        - name: ntfy
-          image: binwiederhier/ntfy:v1.28.0
-          args: ["serve"]
-          env:
-            - name: TZ
-              value: America/Toronto
-            - name: NTFY_DEBUG
-              value: "false"
-            - name: NTFY_LOG_LEVEL
-              value: INFO
-            - name: NTFY_BASE_URL
-              value: https://ntfy.michaelthomson.dev
-          ports: 
-            - containerPort: 80
-              name: http
-          volumeMounts:
-            - mountPath: /etc/ntfy
-              subPath: server.yml
-              name: config-volume
-            - mountPath: /var/cache/ntfy
-              name: cache-volume
-      volumes:
-        - name: config-volume
-          configMap:
-            name: server-config
-        - name: cache-volume
-          persistentVolumeClaim:
-            claimName: pvc

apps/ntfy/ingress.yaml

@@ -1,27 +0,0 @@
-apiVersion: networking.k8s.io/v1
-kind: Ingress
-metadata:
-  name: ntfy
-  namespace: ntfy
-  annotations:
-    cert-manager.io/cluster-issuer: "letsencrypt-prod"
-    external-dns.alpha.kubernetes.io/target: michaelthomson.ddns.net
-    external-dns.alpha.kubernetes.io/cloudflare-proxied: "true"
-    traefik.ingress.kubernetes.io/router.entrypoints: websecure
-    traefik.ingress.kubernetes.io/router.tls: "true"
-spec:
-  rules:
-  - host: ntfy.michaelthomson.dev
-    http:
-      paths:
-      - pathType: Prefix
-        path: /
-        backend:
-          service:
-            name: service
-            port: 
-              name: http
-  tls:
-    - hosts:
-        - ntfy.michaelthomson.dev
-      secretName: ntfy-tls

apps/ntfy/pvc.yaml

@@ -1,12 +0,0 @@
-apiVersion: v1
-kind: PersistentVolumeClaim
-metadata:
-  name: pvc
-  namespace: ntfy
-spec:
-  accessModes:
-    - ReadWriteOnce
-  storageClassName: longhorn
-  resources:
-    requests:
-      storage: 1Gi

apps/ntfy/server-config.yaml

@@ -1,9 +0,0 @@
-apiVersion: v1
-kind: ConfigMap
-metadata:
-  name: server-config
-  namespace: ntfy
-data:
-  server.yml: |
-    cache-file: "/var/cache/ntfy/cache.db"
-    attachment-cache-dir: "/var/cache/ntfy/attachments"

apps/ntfy/service.yaml

@@ -1,14 +0,0 @@
-apiVersion: v1
-kind: Service
-metadata:
-  name: service
-  namespace: ntfy
-spec:
-  type: ClusterIP
-  selector:
-    app: ntfy
-  ports:
-    - name: http
-      protocol: TCP
-      port: 80
-      targetPort:  http

apps/wg-easy/config.yaml

@@ -1,12 +0,0 @@
-apiVersion: v1
-kind: ConfigMap
-metadata:
-  name: wg-easy-config
-  namespace: wg-easy
-data:
-  LANG: "en"
-  WG_HOST: "wireguard.michaelthomson.dev"
-  WG_PORT: "30000"
-  UI_TRAFFIC_STATS: "true"
-  UI_CHART_TYPE: "1"
-  ENABLE_PROMETHEUS_METRICS: "true"

apps/wg-easy/deployment.yaml

@@ -1,48 +0,0 @@
-apiVersion: apps/v1
-kind: Deployment
-metadata:
-  name: wg-easy
-  namespace: wg-easy
-spec:
-  selector:
-    matchLabels:
-      app: wg-easy
-  template:
-    metadata:
-      labels:
-        app: wg-easy
-    spec:
-      # securityContext:
-      #   sysctls:
-      #   - name: net.ipv4.ip_forward
-      #     value: "1"
-      #   - name: net.ipv4.conf.all.src_valid_mark
-      #     value: "1"
-      containers:
-      - name: wg-easy
-        image: ghcr.io/wg-easy/wg-easy
-        imagePullPolicy: Always
-        envFrom:
-        - configMapRef:
-            name: wg-easy-config
-            optional: false
-        ports:
-        - containerPort: 30000
-          name: wg
-          protocol: UDP
-        - containerPort: 51821
-          name: http
-          protocol: TCP
-        securityContext:
-          capabilities:
-            add:
-            - NET_ADMIN
-            - SYS_MODULE
-        volumeMounts:
-        - name: config
-          mountPath: /etc/wireguard
-      restartPolicy: Always
-      volumes:
-      - name: config
-        persistentVolumeClaim:
-          claimName: wg-easy-config

apps/wg-easy/ingress.yaml

@@ -1,27 +0,0 @@
-apiVersion: networking.k8s.io/v1
-kind: Ingress
-metadata:
-  name: wg-easy
-  namespace: wg-easy
-  annotations:
-    cert-manager.io/cluster-issuer: "letsencrypt-prod"
-    external-dns.alpha.kubernetes.io/target: michaelthomson.ddns.net
-    external-dns.alpha.kubernetes.io/cloudflare-proxied: "true"
-    traefik.ingress.kubernetes.io/router.entrypoints: websecure
-    traefik.ingress.kubernetes.io/router.tls: "true"
-spec:
-  rules:
-  - host: wireguard.michaelthomson.dev
-    http:
-      paths:
-      - pathType: ImplementationSpecific
-        path: /
-        backend:
-          service:
-            name: wg-easy
-            port: 
-              name: http
-  tls:
-    - hosts:
-        - wireguard.michaelthomson.dev
-      secretName: wg-easy-tls

apps/wg-easy/pvc-config.yaml

@@ -1,12 +0,0 @@
-apiVersion: v1
-kind: PersistentVolumeClaim
-metadata:
-  name: wg-easy-config
-  namespace: wg-easy
-spec:
-  resources:
-    requests:
-      storage: 1Gi
-  storageClassName: longhorn
-  accessModes:
-    - ReadWriteOnce

apps/wg-easy/service-dns.yaml

@@ -1,16 +0,0 @@
-apiVersion: v1
-kind: Service
-metadata:
-  name: wg-easy-dns
-  namespace: wg-easy
-  annotations:
-    metallb.io/loadBalancerIPs: 192.168.18.245
-spec:
-  type: LoadBalancer
-  selector:
-    app: wg-easy
-  ports:
-  - name: wg
-    port: 30000
-    targetPort: wg
-    protocol: UDP

apps/wg-easy/service.yaml

@@ -1,12 +0,0 @@
-apiVersion: v1
-kind: Service
-metadata:
-  name: wg-easy
-  namespace: wg-easy
-spec:
-  selector:
-    app: wg-easy
-  ports:
-  - port: 80
-    targetPort: http
-    name: http

bootstrap/apps/kustomization-baikal.yaml

@@ -1,19 +0,0 @@
-apiVersion: kustomize.toolkit.fluxcd.io/v1
-kind: Kustomization
-metadata:
-  name: baikal
-  namespace: flux-system
-spec:
-  interval: 15m
-  path: ./apps/baikal
-  prune: true # remove any elements later removed from the above path
-  wait: true
-  sourceRef:
-    kind: GitRepository
-    name: flux-system
-  decryption:
-    provider: sops
-    secretRef:
-      name: sops-age
-  dependsOn:
-    - name: infra-configs

bootstrap/apps/kustomization-minecraft.yaml

@@ -1,19 +0,0 @@
-apiVersion: kustomize.toolkit.fluxcd.io/v1
-kind: Kustomization
-metadata:
-  name: minecraft
-  namespace: flux-system
-spec:
-  interval: 15m
-  path: ./apps/minecraft
-  prune: true # remove any elements later removed from the above path
-  wait: true
-  sourceRef:
-    kind: GitRepository
-    name: flux-system
-  decryption:
-    provider: sops
-    secretRef:
-      name: sops-age
-  dependsOn:
-    - name: infra-configs

bootstrap/apps/kustomization-ntfy.yaml

@@ -1,19 +0,0 @@
-apiVersion: kustomize.toolkit.fluxcd.io/v1
-kind: Kustomization
-metadata:
-  name: ntfy
-  namespace: flux-system
-spec:
-  interval: 15m
-  path: ./apps/ntfy
-  prune: true # remove any elements later removed from the above path
-  wait: true
-  sourceRef:
-    kind: GitRepository
-    name: flux-system
-  decryption:
-    provider: sops
-    secretRef:
-      name: sops-age
-  dependsOn:
-    - name: infra-configs

bootstrap/apps/kustomization-wg-easy.yaml

@@ -1,19 +0,0 @@
-apiVersion: kustomize.toolkit.fluxcd.io/v1
-kind: Kustomization
-metadata:
-  name: wg-easy
-  namespace: flux-system
-spec:
-  interval: 15m
-  path: ./apps/wg-easy
-  prune: true # remove any elements later removed from the above path
-  wait: true
-  sourceRef:
-    kind: GitRepository
-    name: flux-system
-  decryption:
-    provider: sops
-    secretRef:
-      name: sops-age
-  dependsOn:
-    - name: infra-configs

infrastructure/configs/netbird/networkrouter.yaml

@@ -0,0 +1,8 @@
+apiVersion: netbird.io/v1alpha1
+kind: NetworkRouter
+metadata:
+  name: homelab
+  namespace: netbird
+spec:
+  dnsZoneRef:
+    name: homelab.local

infrastructure/controllers/generic-cdi-plugin/daemonset.yaml

@@ -1,47 +0,0 @@
-apiVersion: apps/v1
-kind: DaemonSet
-metadata:
-  name: generic-cdi-plugin-daemonset
-  namespace: generic-cdi-plugin
-spec:
-  selector:
-    matchLabels:
-      name: generic-cdi-plugin
-  template:
-    metadata:
-      labels:
-        name: generic-cdi-plugin
-        app.kubernetes.io/component: generic-cdi-plugin
-        app.kubernetes.io/name: generic-cdi-plugin
-    spec:
-      containers:
-      - image: ghcr.io/olfillasodikno/generic-cdi-plugin:main
-        name: generic-cdi-plugin
-        command:
-          - /generic-cdi-plugin
-          - /var/run/cdi/nvidia-container-toolkit.json
-        imagePullPolicy: Always
-        securityContext:
-          privileged: true
-        tty: true
-        volumeMounts:
-        - name: kubelet
-          mountPath: /var/lib/kubelet
-        - name: nvidia-container-toolkit
-          mountPath: /var/run/cdi/nvidia-container-toolkit.json
-      volumes:
-      - name: kubelet
-        hostPath:
-          path: /var/lib/kubelet
-      - name: nvidia-container-toolkit
-        hostPath:
-          path: /var/run/cdi/nvidia-container-toolkit.json
-      affinity:
-        nodeAffinity:
-          requiredDuringSchedulingIgnoredDuringExecution:
-            nodeSelectorTerms:
-            - matchExpressions:
-              - key: "nixos-nvidia-cdi"
-                operator: In
-                values:
-                - "enabled"

infrastructure/controllers/longhorn/release.yaml

@@ -7,7 +7,7 @@ spec:
   chart:
     spec:
       chart: longhorn
-      version: 1.9.x
+      version: 1.11.x
       sourceRef:
         kind: HelmRepository
         name: longhorn
@@ -21,8 +21,7 @@ spec:
         enable: true
         jobList: '[{"name":"backup","isGroup":true},{"name":"snapshot","isGroup":true},{"name":"trim","isGroup":true}]'
     defaultBackupStore:
-      backupTarget: s3://mthomson-longhorn-backup@ca-central-1/
-      backupTargetCredentialSecret: wasabi-secret
+      backupTarget: nfs://192.168.18.99:/volume1/k8sbackupstore
       pollInterval: 0
     defaultSettings:
       replicaAutoBalance: best-effort

infrastructure/controllers/metallb/release.yaml

@@ -14,3 +14,5 @@ spec:
   interval: 15m
   releaseName: metallb
   values:
+    speaker:
+      ignoreExcludeLB: true

infrastructure/controllers/netbird/netbird-mgmt-api-key.yaml

@@ -0,0 +1,22 @@
+apiVersion: v1
+data:
+    NB_API_KEY: ENC[AES256_GCM,data:bO72vA7WNMrb2baStVlDUbjRdwNaWswP5eGfXEBAPepjYIMmBJnCV81d8bEWClFcGw2MwDO2ulQ=,iv:x/swnBZgPhoz2lGjImqEvPPa8wNWTZJlCWo96hV63X8=,tag:T6yhV0to68Ybe5gcxsYedQ==,type:str]
+kind: Secret
+metadata:
+    name: netbird-mgmt-api-key
+    namespace: netbird
+sops:
+    age:
+        - recipient: age1s0206tnfaaw849x5xmt95axgu8qhxzlu5ywrwz09tpt8lwpx858q089nq9
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBId2tXZ2krZFhiendhN3c2
+            OUN1V3RmRHBVQ1Z0T2FJTnU1WE9mRHp4QkNVCkpGOForQWFWN2FjdWppNG9hMFFK
+            d1N6ckMxdjFhT3NnRmVReG9jdXpMcFEKLS0tIFJ0RXJHQ2E2S08xUU9mdlFPTEd2
+            Rms3V1grTyt5L1pockJxNFRVUDFLMGsKLOj+Sxw/mzdmhdAp7G/NoVJixuL14we2
+            hwEank8H1TnOb/VynHUCYQrYaPXE+FkSYumhLo3IJC1ZMKzQUFp9dw==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2026-05-07T17:46:40Z"
+    mac: ENC[AES256_GCM,data:RC07/U3NbwI5wU/ZbG+0A7nnDVlhBmcZsUevSmk9hqftFCCa4Q9R8q40XGFKod2pFl0SQzg8FXJPQABG6T9jYAKngD68zKD0wG2eHbXSxJiGT92nq2pkReOHZL/WFH6fGBse3RkXCjirwcIs27sLbXgdCCGmy36UU4CrnT3Nt5c=,iv:sQlS1M/58akJ1QdPGzpEZQaIxYk2QMwhdY3clIWnBCE=,tag:k95JRSlRzbMMbBNCCyB/8w==,type:str]
+    encrypted_regex: ^(data|stringData)$
+    version: 3.12.2

infrastructure/controllers/netbird/release.yaml

@@ -0,0 +1,20 @@
+apiVersion: helm.toolkit.fluxcd.io/v2
+kind: HelmRelease
+metadata:
+  name: netbird-operator
+  namespace: netbird
+spec:
+  chart:
+    spec:
+      chart: kubernetes-operator
+      sourceRef:
+        kind: HelmRepository
+        name: netbirdio
+  interval: 15m
+  releaseName: netbird-operator
+  values:
+    managementURL: "https://netbird.michaelthomson.dev:443"
+    netbirdAPI:
+      keyFromSecret:
+        name: "netbird-mgmt-api-key"
+        key: "NB_API_KEY"

infrastructure/controllers/netbird/repository.yaml

@@ -0,0 +1,8 @@
+apiVersion: source.toolkit.fluxcd.io/v1
+kind: HelmRepository
+metadata:
+  name: netbirdio
+  namespace: netbird
+spec:
+  interval: 15m
+  url: https://netbirdio.github.io/helms

infrastructure/controllers/nvidia-device-plugin/release.yaml

@@ -0,0 +1,27 @@
+apiVersion: helm.toolkit.fluxcd.io/v2
+kind: HelmRelease
+metadata:
+  name: nvidia-device-plugin
+  namespace: nvidia-device-plugin
+spec:
+  chart:
+    spec:
+      chart: nvidia-device-plugin
+      version: 0.17.x
+      sourceRef:
+        kind: HelmRepository
+        name: nvdp
+  interval: 15m
+  releaseName: nvidia-device-plugin
+  values:
+    runtimeClassName: nvidia
+    config:
+      default: time-slicing
+      map:
+        time-slicing: |
+          version: v1
+          sharing:
+            timeSlicing:
+              resources:
+              - name: nvidia.com/gpu
+                replicas: 5

infrastructure/controllers/nvidia-device-plugin/repository.yaml

@@ -0,0 +1,8 @@
+apiVersion: source.toolkit.fluxcd.io/v1
+kind: HelmRepository
+metadata:
+  name: nvdp
+  namespace: nvidia-device-plugin
+spec:
+  interval: 15m
+  url: https://nvidia.github.io/k8s-device-plugin

infrastructure/controllers/nvidia-device-plugin/runtime-class.yaml

@@ -0,0 +1,5 @@
+apiVersion: node.k8s.io/v1
+kind: RuntimeClass
+metadata:
+  name: nvidia
+handler: nvidia

infrastructure/namespaces/namespace-baikal.yaml

@@ -1,4 +0,0 @@
-apiVersion: v1
-kind: Namespace
-metadata:
-  name: baikal

infrastructure/namespaces/namespace-generic-cdi-plugin.yaml

@@ -1,4 +0,0 @@
-apiVersion: v1
-kind: Namespace
-metadata:
-  name: generic-cdi-plugin

infrastructure/namespaces/namespace-gitea.yaml

@@ -2,3 +2,7 @@ apiVersion: v1
 kind: Namespace
 metadata:
   name: gitea
+  labels:
+    pod-security.kubernetes.io/enforce: privileged
+    pod-security.kubernetes.io/audit: privileged
+    pod-security.kubernetes.io/warn: privileged

infrastructure/namespaces/namespace-homeassistant.yaml

@@ -2,3 +2,7 @@ apiVersion: v1
 kind: Namespace
 metadata:
   name: homeassistant
+  labels:
+    pod-security.kubernetes.io/enforce: privileged
+    pod-security.kubernetes.io/audit: privileged
+    pod-security.kubernetes.io/warn: privileged

infrastructure/namespaces/namespace-longhorn.yaml

@@ -2,3 +2,7 @@ apiVersion: v1
 kind: Namespace
 metadata:
   name: longhorn-system
+  labels:
+    pod-security.kubernetes.io/enforce: privileged
+    pod-security.kubernetes.io/audit: privileged
+    pod-security.kubernetes.io/warn: privileged

infrastructure/namespaces/namespace-media.yaml

@@ -2,3 +2,7 @@ apiVersion: v1
 kind: Namespace
 metadata:
   name: media
+  labels:
+    pod-security.kubernetes.io/enforce: privileged
+    pod-security.kubernetes.io/audit: privileged
+    pod-security.kubernetes.io/warn: privileged

infrastructure/namespaces/namespace-metallb.yaml

@@ -2,3 +2,7 @@ apiVersion: v1
 kind: Namespace
 metadata:
   name: metallb-system
+  labels:
+    pod-security.kubernetes.io/enforce: privileged
+    pod-security.kubernetes.io/audit: privileged
+    pod-security.kubernetes.io/warn: privileged

infrastructure/namespaces/namespace-minecraft.yaml

@@ -1,4 +0,0 @@
-apiVersion: v1
-kind: Namespace
-metadata:
-  name: minecraft

infrastructure/namespaces/namespace-netbird.yaml

@@ -0,0 +1,8 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: netbird
+  labels:
+    pod-security.kubernetes.io/enforce: privileged
+    pod-security.kubernetes.io/audit: privileged
+    pod-security.kubernetes.io/warn: privileged

infrastructure/namespaces/namespace-ntfy.yaml

@@ -1,4 +0,0 @@
-apiVersion: v1
-kind: Namespace
-metadata:
-  name: ntfy

infrastructure/namespaces/namespace-nvidia-device-plugin.yaml

@@ -0,0 +1,8 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: nvidia-device-plugin
+  labels:
+    pod-security.kubernetes.io/enforce: privileged
+    pod-security.kubernetes.io/audit: privileged
+    pod-security.kubernetes.io/warn: privileged

infrastructure/namespaces/namespace-sealed-secrets.yaml

@@ -1,4 +0,0 @@
-apiVersion: v1
-kind: Namespace
-metadata:
-  name: sealed-secrets

infrastructure/namespaces/namespace-wg-easy.yaml

@@ -1,4 +0,0 @@
-apiVersion: v1
-kind: Namespace
-metadata:
-  name: wg-easy